Business associate agreement

This Business Associate Agreement (“BAA”), effective 7/18/2007 (“Effective Date”), is entered into by and between Ansaphone Service, Inc. (the “Business Associate”) and __________________________ with an addresses at __________________________, (the “Covered Entity”) (each a “Party” and collectively the “Parties”).

1. 
   use the Protected Health Information in its possession for its proper management and administration and to fulfill any present or future legal responsibilities of the Business Associate provided that such uses are permitted under state and federal confidentiality laws.
   

2. 
   disclose the Protected Health Information in its possession to third parties for the purpose of its proper management and administration or to fulfill any present or future legal responsibilities of the Business Associate, provided that the Business Associate represents to the Covered Entity, in writing, that (i) the disclosures are required by law, as provided for in 45 C.F.R. § 164.501 or (ii) the Business Associate has received from the third party written assurances regarding its confidential handling of such Protected Health Information as required under 45 C.F.R. § 164.504(e)(4).
   

1. 
   aggregate the Protected Health Information in its possession with the Protected Health Information of other covered entities that the Business Associate has in its possession through its capacity as a business associate to said other covered entities provided that the purpose of such aggregation is to provide the Covered Entity with data analyses relating to the Health Care Operations of the Covered Entity. Under no circumstances may the Business Associate disclose Protected Health Information of one Covered Entity to another Covered Entity absent the explicit authorization of the Covered Entity.
   

2. 
   de-identify any and all Protected Health Information provided that the de-identification conforms to the requirements of 45 C.F.R. § 164.514(b), and further provided that the Covered Entity maintains the documentation required by 45 C.F.R. § 164.514(b) which may be in the form of a written assurance from the Business Associate. Pursuant to 45 C.F.R. § 164.502(d)(2), de-identified information does not constitute Protected Health Information and is not subject to the terms of this Agreement.
   

1. 
   use and/or disclose the PHI only as permitted or required by this Agreement or as otherwise required by law.
   

2. 
   report to the designated Privacy Officer and/or Security Officer of the Covered Entity, in writing, any use and/or disclosure of the PHI that is not permitted or required by this Agreement of which Business Associate becomes aware within 30 days of the Business Associate’s discovery of such unauthorized use and/or disclosure.
   

3. 
   use commercially reasonable efforts to maintain the security of the PHI and to prevent unauthorized use and/or disclosure of such Protected Health Information.
   

4. 
   require all of its subcontractors and agents that receive or use, or have access to, PHI under this Agreement to agree, in writing, to adhere to the same restrictions and conditions on the use and/or disclosure of PHI that apply to the Business Associate pursuant to section 2 of this Agreement.
   

5. 
   make available all records, books, agreements, policies and procedures relating to the use and/or disclosure of Protected Health Information to the Secretary of HHS for purposes of determining the Covered Entity’s compliance with the Privacy and/or Security Regulation, subject to attorney-client and other applicable legal privileges.
   

6. 
   upon prior written request, make available during normal business hours at Business Associate’s offices all records, books, agreements, policies and procedures relating to the use and/or disclosure of Protected Health Information to the Covered Entity within 30 days for purposes of enabling the Covered Entity to determine the Business Associate’s compliance with the terms of this Agreement.
   

7. 
   within 30 days of receiving a written request from the Covered Entity, provide to the Covered Entity such information as is requested by the Covered Entity to permit the Covered Entity to respond to a request by an individual for an accounting of the disclosures of the individual's Protected Health Information in accordance with 45 C.F.R. § 164.528.
   

8. 
   subject to Section 3.4 below, return to the Covered Entity or destroy, within 30 days of the termination of this Agreement, the Protected Health Information in its possession and retain no copies. This includes, but is not limited to; all media, media backups, and any other files (i.e. sound or .wav files) and/or paper which contains PHI.
   

1. 
   to inform the Business Associate of any changes in the form of notice of privacy practices (the “Notice”) that the Covered Entity provides to individuals pursuant to 45 C.F.R. §164.520, and provide the Business Associate a copy of the Notice currently in use.
   

2. 
   to inform the Business Associate of any changes in, or withdrawal of, the consent or authorization provided to the Covered Entity by individuals pursuant to 45 C.F.R. §164.506 or §164.508.
   
3. 
   to inform the Business Associate of any opt-outs exercised by any individual from marketing and/or fundraising activities of the Covered Entity pursuant to 45 C.F.R. § 164.514(e).
   

4. 
   to notify the Business Associate, in writing and in a timely manner, of any arrangements permitted or required of the Covered Entity under 45 C.F.R. part 160 and 164 that may impact in any manner the use and/or disclosure of Protected Health Information by the Business Associate under this Agreement, including, but not limited to, restrictions on use and/or disclosure of Protected Health Information as provided for in 45 C.F.R. § 164.522 agreed to by the Covered Entity.
   

5. 
   that Business Associate may make any use and/or disclosure of Protected Health Information permitted under 45 C.F.R. § 164.512 except uses or disclosure for research are not permitted without prior approval by the covered entity.
   

3.1 Term. This Agreement shall become effective on the Effective Date and shall continue in effect until all obligations of the Parties have been met, unless terminated as provided in this Section 3.

3.2 Termination by the Covered Entity. As provided for under 45 C.F.R. § 164.504(e)(2)(iii), the Covered Entity may terminate this Agreement and any related agreements if the Covered Entity makes the determination that the Business Associate has breached a material term of this Agreement. The Covered Entity must : (i) provide the Business Associate with 30 day’s written notice of the existence of an alleged material breach; and (ii) afford the Business Associate an opportunity to cure said alleged material breach upon mutually agreeable terms. Nonetheless, in the event that mutually agreeable terms can not be achieved within 30 days, Business Associate must cure said breach to the reasonable satisfaction of the Covered Entity.

3.3 Automatic Termination. This Agreement will automatically terminate without any further action of the Parties upon the termination or expiration of a previous oral or written agreement between the Parties.

3.4 Effect of Termination. Upon the event of termination pursuant to this Section 3, Business Associate agrees to return or destroy all Protected Health Information pursuant to 45 C.F.R. § 164.504(e)(2)(I), if it is feasible to do so. If it is not feasible for the Business Associate to return or destroy said Protected Health Information, the Business Associate will notify the Covered Entity in writing. Said notification shall include: (i) a statement that the Business Associate has determined that it is infeasible to return or destroy the Protected Health Information in its possession, and (ii) the specific reasons for such determination, which reasons the Parties agree may include, but are not limited to, b bb ackup media. Business Associate further agrees to extend any and all protections, limitations and restrictions contained in this Agreement to the Business Associate’s use and/or disclosure of any Protected Health Information retained after the termination of this Agreement, and to limit any further uses and/or disclosures to the purposes that make the return or destruction of the Protected Health Information infeasible.

4. MISCELLANEOUS

4.1 Covered Entity. For purposes of this Agreement, Covered Entity shall include all entities covered by the joint notice of information practices (or privacy notice), which includes hospitals, laboratories, imaging centers, nursing facilities, and medical offices.

4.2 Business Associate. For purposes of this Agreement, Business Associate shall include the named Business Associate herein. However, in the event that the Business Associate is otherwise a covered entity under the Privacy and/or Security Regulation, that entity may appropriately designate a health care component of the entity, pursuant to 45 C.F.R. § 164.504(a), as the Business Associate for purposes of this Agreement.

4.3 Amendments; Waiver. This Agreement may not be modified, nor shall any provision hereof be waived or amended, except in a writing duly signed by authorized representatives of the Parties. A waiver with respect to one event shall not be construed as continuing, or as a bar to or waiver of any right or remedy as to subsequent events.

4.4 No Third Party Beneficiaries. Nothing express or implied in this Agreement is intended to confer, nor shall anything herein confer, upon any person other than the Parties and the respective successors or assigns of the Parties, any rights, remedies, obligations, or liabilities whatsoever.

4.5 Notices. Any notices to be given hereunder to a Party shall be made via U.S. Mail or express courier to such Party’s address given below, and/or (other than for the delivery of fees) via facsimile to the facsimile telephone numbers listed below.

If to Business Associate, to: If to Covered Entity, to:

Each Party named above may change its address and that of its representative for notice by the giving of notice thereof in the manner hereinabove provided.

4.6 Counterparts; Facsimiles. This Agreement may be executed in any number of counterparts, each of which shall be deemed an original. Facsimile copies hereof shall be deemed to be originals.

7. 
   Survival. The respective rights and obligations of Business Associate and Covered Entity under the provisions of Sections 3.4, 4.4, and Section 2.1 solely with respect to Protected Health Information Business Associate retains in accordance with Section 3.4, because it is not feasible to return or destroy such Protected Health Information, shall survive termination of this Agreement indefinitely.
   

5.1 Catch-all: Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms in the Privacy Rule.